Leakage Assessment Methodology - a clear roadmap for side-channel - - PowerPoint PPT Presentation

leakage assessment methodology
SMART_READER_LITE
LIVE PREVIEW

Leakage Assessment Methodology - a clear roadmap for side-channel - - PowerPoint PPT Presentation

Apr 15, 2023 264 likes •750 views

Leakage Assessment Methodology - a clear roadmap for side-channel evaluations - Tobias Schneider and Amir Moradi Friday, September 11 th , 2015 Motivation Physical Attacks & Countermeasures input output input output Timing, Power, EM,

slide-1
SLIDE 1

Leakage Assessment Methodology

  • a clear roadmap for side-channel evaluations -

Tobias Schneider and Amir Moradi Friday, September 11th, 2015

slide-2
SLIDE 2

2

Leakage Assessment Methodology | WISE 2015 | Tobias Schneider

Motivation Physical Attacks & Countermeasures

input

  • utput

input

  • utput

… Timing, Power, EM, etc. Countermeasures:

  • Masking
  • Hiding

Higher-order Attacks Multivariate Univariate

slide-3
SLIDE 3

3

Leakage Assessment Methodology | WISE 2015 | Tobias Schneider

Problem: Evaluation is not trivial. Non-Invasive Attack Testing Workshop, 2011 Establish testing methodology capable of robustly assessing the physical vulnerability of cryptographic devices. Goal: Does the chip leak information?

Motivation Security Evaluation

slide-4
SLIDE 4

4

Leakage Assessment Methodology | WISE 2015 | Tobias Schneider

Perform state-of-the-art attacks on the device under test (DUT)

Attacks Types:

  • DPA
  • CPA
  • MIA

Intermediate Values:

  • Sbox In
  • Sbox Out
  • Sbox In/Out

Leakage Models:

  • HW
  • HD
  • Bit

× ×

Problems:

  • High computational complexity
  • Requires lot of expertise
  • Does not cover all possible attack vectors

Motivation Attack-based Testing

slide-5
SLIDE 5

5

Leakage Assessment Methodology | WISE 2015 | Tobias Schneider

Computation of Mutual/Perceived Information

Motivation Information-theoretic Testing

Problems:

  • High computational complexity
  • Cannot focus on one statistical moment
  • Dependent on density estimation
  • Does not cover all possible attack vectors
slide-6
SLIDE 6

6

Leakage Assessment Methodology | WISE 2015 | Tobias Schneider

Tries to detect any type of leakage at a certain order

  • Proposed by CRI at NIST workshop

Advantages:

  • Independent of architecture
  • Independent of attack model
  • Fast & simple
  • Versatile

Problems:

  • No information about hardness of

attack

  • Possible false positives if no care

about evaluation setup

Motivation Testing based on t-Test

slide-7
SLIDE 7

7

Leakage Assessment Methodology | WISE 2015 | Tobias Schneider

Outline

  • 1. Statistical Background
  • 2. Testing Methodology
  • 3. Correct Measurement
  • 4. Efficient Computation
  • 5. Conclusion
slide-8
SLIDE 8

8

Leakage Assessment Methodology | WISE 2015 | Tobias Schneider

Statistical Background

  • t-Test
slide-9
SLIDE 9

9

Leakage Assessment Methodology | WISE 2015 | Tobias Schneider

Sample 𝑅0 Sample 𝑅1

Null Hypothesis: Two population means are equal.

Statistical Background t-Test

slide-10
SLIDE 10

10

Leakage Assessment Methodology | WISE 2015 | Tobias Schneider

Sample 𝑅0 Sample 𝑅1

Sample mean: Sample variance: Sample size: 𝜈0 𝑡0

2

𝑜0 𝜈1 𝑡1

2

𝑜1

t = 𝜈0 − 𝜈1 𝑡0

2

𝑜0 + 𝑡1

2

𝑜1 v = 𝑡0

2

𝑜0 + 𝑡1

2

𝑜1

2

𝑡0

2

𝑜0

2

𝑜0 − 1 + 𝑡1

2

𝑜1

2

𝑜1 − 1

Degree of freedom 𝑢-test statistic

Statistical Background t-Test

slide-11
SLIDE 11

11

Leakage Assessment Methodology | WISE 2015 | Tobias Schneider

Estimate the probability to accept null hypothesis with Student’s 𝑢 distribution:

𝑔 𝑢, 𝑤 = Γ 𝑤 + 1 2 𝜌𝑤 Γ 𝑤 2 1 + 𝑢2 𝑤

−𝑤+1 2

𝑞 = 2

|𝑢| ∞

𝑔 t, v 𝑒𝑢

Statistical Background t-Test

Compute: Small 𝑞 values give evidence to reject the null hypothesis

𝑤 𝑢

slide-12
SLIDE 12

12

Leakage Assessment Methodology | WISE 2015 | Tobias Schneider

  • For testing usually only the 𝑢-value is estimated
  • Compared to a threshold of t > 4.5
  • 𝑞 = 2𝐺 −4.5, 𝑤 > 1000 < 0.00001
  • Confidence of > 0.99999 to reject the null hypothesis

Statistical Background t-Test

slide-13
SLIDE 13

13

Leakage Assessment Methodology | WISE 2015 | Tobias Schneider

Testing Methodology

  • Specific 𝒖-Test
  • Non-Specific t-Test
  • Higher Orders
slide-14
SLIDE 14

14

Leakage Assessment Methodology | WISE 2015 | Tobias Schneider

Measurements 𝑈𝑗 With Associated Data 𝐸𝑗

𝑅0 𝑅1

𝑢𝑏𝑠𝑕𝑓𝑢 𝑐𝑗𝑢 𝐸𝑗 = 0 𝑢𝑏𝑠𝑕𝑓𝑢 𝑐𝑗𝑢 𝐸𝑗 = 1

Specific t-Test:

  • Key is known to enable correct partitioning
  • Test is conducted at each sample point separately (univariate)
  • If corresponding 𝑢-test exceeds threshold ⇒ DPA probable

Testing Methodology Specific t-Test

slide-15
SLIDE 15

15

Leakage Assessment Methodology | WISE 2015 | Tobias Schneider

Measurements 𝑈𝑗 With Associated Data 𝐸𝑗

𝑅0 𝑅1

𝒖𝒃𝒔𝒉𝒇𝒖 𝒄𝒛𝒖𝒇 𝑬𝒋 = 𝒚 𝒖𝒃𝒔𝒉𝒇𝒖 𝒄𝒛𝒖𝒇 𝑬𝒋 ≠ 𝒚

Testing Methodology Specific t-Test

Specific t-Test:

  • Key is known to enable correct partitioning
  • Test is conducted at each sample point separately (univariate)
  • If corresponding 𝑢-test exceeds threshold ⇒ DPA probable

Other classifications possible

slide-16
SLIDE 16

16

Leakage Assessment Methodology | WISE 2015 | Tobias Schneider

Example: PRESENT (last round)

  • addRoundKey, sBoxLayer, pLayer
  • Bitwise: 3 × 64 tests
  • Nibblewise: 3 × 16 × 16 tests
  • Other tests possible

Sbox out bits (64 models) Sbox 0 nibble (16 models)

Problems:

  • Same as attack-based approach
  • Many different intermediate values
  • Many different models

Testing Methodology Specific t-Test

slide-17
SLIDE 17

17

Leakage Assessment Methodology | WISE 2015 | Tobias Schneider

Non-Specific t-Test:

  • fixed vs. random t-test
  • Avoids being dependent on any intermediate value/model
  • Detected leakage of single test is not always exploitable

Measurements 𝑈𝑗 With Random Associated Data D𝑗 Measurements 𝑈

𝑘

With Fixed Associated Data D

𝑅0 𝑅1

Testing Methodology Non-Specific t-Test

slide-18
SLIDE 18

18

Leakage Assessment Methodology | WISE 2015 | Tobias Schneider

Testing Methodology Non-Specific t-Test

𝑅0 𝑅1

4000 4500 5000 5500 6000 6500 7000

  • 100
  • 50

50 100

t-Test

𝜈: 𝑡2:

slide-19
SLIDE 19

19

Leakage Assessment Methodology | WISE 2015 | Tobias Schneider

  • Non-specific t-test reports a detectable leakage

⇒ Specific t-test reports leakage with higher confidence

  • Other direction (⇐) cannot be concluded from a single

non-specific t-test

  • Recommended to perform a number of non-specific tests

with different fixed data

Testing Methodology Non-Specific t-Test

Semi-fixed vs. random test:

  • Use a set of particular associated data instead of only one
  • All lead to certain intermediate value
  • Eliminates some of the drawbacks of fixed vs. random
slide-20
SLIDE 20

20

Leakage Assessment Methodology | WISE 2015 | Tobias Schneider

Testing Methodology Higher Orders

Multivariate:

  • Sensitive variable is shared: 𝑇 = 𝑇1 ∘ 𝑇2
  • Shares are processed at different time instances (SW)
  • Leakages at different time instances need to be combined first

𝑇1 𝑇2

Centered Product: 𝑦′ = 𝑦1 − 𝜈1 ⋅ 𝑦2 − 𝜈2

slide-21
SLIDE 21

21

Leakage Assessment Methodology | WISE 2015 | Tobias Schneider

Testing Methodology Higher Orders

Variance: 𝑦′ = 𝑦 − 𝜈 2 In general: 𝑦′ = 𝑦 − 𝜈 𝑒 In some cases: 𝑦′ =

𝑦−𝜈 𝑡 𝑒

Univariate:

  • Shares are processed in parallel (HW)
  • Leakages at the same time instance need to be combined first

𝑇1 𝑇2

slide-22
SLIDE 22

22

Leakage Assessment Methodology | WISE 2015 | Tobias Schneider

Correct Measurement

  • Setup
  • Case Study: Microcontroller
  • Case Study: FPGA
  • Recommendations
slide-23
SLIDE 23

23

Leakage Assessment Methodology | WISE 2015 | Tobias Schneider

Correct Measurement Setup

PC Oscilloscope Control Target

Plaintext Ciphertext Measure Trigger

Pitfalls:

  • Order of fixed and random inputs should

be random as well

  • Communication between Control and

Target should be masked (if possible)

slide-24
SLIDE 24

24

Leakage Assessment Methodology | WISE 2015 | Tobias Schneider

Correct Measurement CS: Microcontroller

  • AES with masking & shuffling (DPA contest v4.2)
  • No shared communication
  • First-order test
  • Leakage associated to unmasked plaintext
slide-25
SLIDE 25

25

Leakage Assessment Methodology | WISE 2015 | Tobias Schneider

Correct Measurement CS: Microcontroller

Detectable first order leakage

slide-26
SLIDE 26

26

Leakage Assessment Methodology | WISE 2015 | Tobias Schneider

Correct Measurement CS: FPGA

  • NLFSR [1]
  • 2nd –order threshold implementation
  • Test at different orders

A note on the security of Higher-Order Threshold Implementations Oscar Reparaz, ePrint Report 2015/001 [1]

slide-27
SLIDE 27

27

Leakage Assessment Methodology | WISE 2015 | Tobias Schneider

Correct Measurement CS: FPGA

First Order

No plaintext leakage

No detectable leakage in first two orders (univariate)

Second Order

slide-28
SLIDE 28

28

Leakage Assessment Methodology | WISE 2015 | Tobias Schneider

Correct Measurement CS: FPGA

Fifth Order Second Order (bivariate)

Might be vulnerable to bivariate second order attack

slide-29
SLIDE 29

29

Leakage Assessment Methodology | WISE 2015 | Tobias Schneider

Correct Measurement Recommendations

Fixed vs. random:

  • DUT with masking countermeasure
  • With masked communication

Semi-fixed vs. random:

  • DUT with hiding countermeasure
  • Without masked communication

Specific t-test:

  • DUT with no countermeasures
  • Failed in former non-specific tests
  • Identify suitable intermediate values for key recovery
slide-30
SLIDE 30

30

Leakage Assessment Methodology | WISE 2015 | Tobias Schneider

Efficient Computation

  • Classical Approach
  • Incremental
  • Multivariate
  • Parallelization
slide-31
SLIDE 31

31

Leakage Assessment Methodology | WISE 2015 | Tobias Schneider

Efficient Computation Classical Approach

Measurement Phase Analysis Phase 𝑈

𝑜−1

… 𝑈

2

𝑈

1

𝑈 Time t-Test Result

slide-32
SLIDE 32

32

Leakage Assessment Methodology | WISE 2015 | Tobias Schneider

Efficient Computation Classical Approach

t = 𝜈0 − 𝜈1 𝑡0

2

𝑜0 + 𝑡1

2

𝑜1 𝜈1, 𝑡1

2

𝜈0, 𝑡0

2

Requires estimation of: Reminder:

  • 𝜈 = 𝐹 𝑈
  • 𝑡2 = 𝐹

𝑈 − 𝜈 2

𝑈

𝑜−1

… 𝑈

1

𝑈 t-Test Pass 1

𝜈 = 𝐹 𝑈

Pass 2

𝑡2 = 𝐹 𝑈 − 𝜈 2

Pass 3

Required for certain higher-order tests

slide-33
SLIDE 33

33

Leakage Assessment Methodology | WISE 2015 | Tobias Schneider

Efficient Computation Classical Approach

Problems:

1) Measurement phase need to be completed 2) All measurements need to be stored 3) Traces need to be loaded multiple times

Solution: Incremental Computation

slide-34
SLIDE 34

34

Leakage Assessment Methodology | WISE 2015 | Tobias Schneider

Efficient Computation Incremental

Idea: Update intermediate values for each new trace

𝑈 𝜈, 𝑡2 𝑈

1

𝜈, 𝑡2 … 𝜈, 𝑡2 𝑈

𝑜−1

𝜈, 𝑡2

Advantages:

1) Can be run in parallel to measurement phase 2) Does not require that all measurements are stored 3) Loads each trace only once

Higher-order tests require the computation of additional values

slide-35
SLIDE 35

35

Leakage Assessment Methodology | WISE 2015 | Tobias Schneider

Efficient Computation Incremental

Problem: Computation of intermediate values Approach 1: Use raw moments dth-order raw moment: 𝑁𝑒 = 𝐹 𝑈𝑒 Given: 𝑁1 𝑁2 𝜈 = 𝑁1 𝑡2 = 𝑁2 − 𝑁1 2 Compute: Higher-order test require additional moments Example: Univariate 1st-5th order tests require 𝑁1 − 𝑁10

slide-36
SLIDE 36

36

Leakage Assessment Methodology | WISE 2015 | Tobias Schneider

Efficient Computation Incremental

𝑈 𝑁1 − 𝑁10 𝑈

1

… 𝑈

𝑜−1

𝑁1 − 𝑁10 𝑁1 − 𝑁10 𝑁1 − 𝑁10 t-Test Result t-Test Result

slide-37
SLIDE 37

37

Leakage Assessment Methodology | WISE 2015 | Tobias Schneider

Efficient Computation Incremental

𝑈 𝑁1 − 𝑁10 𝑈

1

… 𝑈

𝑜−1

𝑁1 − 𝑁10 𝑁1 − 𝑁10 𝑁1 − 𝑁10 t-Test Result

Easy to find update formulas for: 𝑁𝑒 =

𝑗=0 𝑜−1 𝑈𝑗 𝑒

𝑜 Problem: Numerical unstable for large number of traces

Method Order 1 Order 2 Order 3 Order 4 Order 5 3-Pass 25.08399 1258.18874 15.00039 96.08342 947.25523 Raw 25.08399 1258.14132 14.49282

  • 1160.83799
  • 1939218.83401

Example: Computation of variance based on simulations (100M traces ) with 𝒪 100,25

slide-38
SLIDE 38

38

Leakage Assessment Methodology | WISE 2015 | Tobias Schneider

Efficient Computation Incremental

Approach 2: Use central moments (and 𝑁1) dth-order central moment: 𝐷𝑁𝑒 = 𝐹 (𝑈 − 𝜈)𝑒 Given: 𝑁1 C𝑁2 𝜈 = 𝑁1 𝑡2 = 𝐷𝑁2 Compute: Higher-order test require additional central moments 𝜈𝑒 =

𝐷𝑁𝑒 𝐷𝑁2

𝑒

𝑡𝑒 2 = 𝐷𝑁2𝑒 − 𝐷𝑁𝑒

2

𝐷𝑁2

𝑒

slide-39
SLIDE 39

39

Leakage Assessment Methodology | WISE 2015 | Tobias Schneider

Efficient Computation Incremental

Not that easy to find update formulas for: 𝐷𝑁𝑒 =

𝑗=0 𝑜−1 𝑈𝑗 − 𝜈 𝑒

𝑜 Idea: Use incremental formulas for central sums from [2]

Formulas for Robust, One-Pass Parallel Computation of Covariances and Arbitrary-Order Statistical Moments Philippe Pébay, Sandia Report SAND2008-6212 [2]

𝐷𝑇𝑒 =

𝑗

𝑈𝑗 − 𝜈 𝑒 with 𝐷𝑁𝑒 =

𝐷𝑇𝑒 𝑜

Central sum: For set 𝑅′ = 𝑅 ∪ {𝑢} with Δ = 𝑢 − 𝑁1,𝑅: 𝐷𝑇𝑒,𝑅′ = 𝐷𝑇𝑒,𝑅 +

𝑙=1 𝑒−2

𝑒 𝑙 𝐷𝑇𝑒−𝑙,𝑅 −Δ 𝑜

𝑙

+ 𝑜 − 1 𝑜 Δ

𝑒

1 − −1 𝑜 − 1

𝑒−1

slide-40
SLIDE 40

40

Leakage Assessment Methodology | WISE 2015 | Tobias Schneider

A t-test of order d requires to estimate the central moments up to order 2d.

Comparison to the raw moments approach:

  • Slightly higher computational effort
  • Less numerical problems, higher accuracy

Efficient Computation Incremental

Method Order 1 Order 2 Order 3 Order 4 Order 5 3-Pass 25.08399 1258.18874 15.00039 96.08342 947.25523 Raw 25.08399 1258.14132 14.49282

  • 1160.83799
  • 1939218.83401

Our 25.08399 1258.18874 15.00039 96.08342 947.25523

slide-41
SLIDE 41

41

Leakage Assessment Methodology | WISE 2015 | Tobias Schneider

  • If combination function does not use the mean, computation of

the parameters is trivial (e.g., sum or product)

  • Problematic for optimum combination function (centered product)

𝑈

𝑗 = 𝐵𝑗 ⋅ 𝐶𝑗

Efficient Computation Multivariate

𝑈𝑗 = 𝐵𝑗 + 𝐶𝑗 𝑈

𝑗 = 𝐵𝑗 − 𝜈𝐵 ⋅ 𝐶𝑗 − 𝜈𝐶

  • Incremental formulas need to be adjusted
slide-42
SLIDE 42

42

Leakage Assessment Methodology | WISE 2015 | Tobias Schneider

𝑢𝑜,0 𝑢𝑜,1 𝑢𝑜,2 𝑢𝑜,3 𝑢𝑜,4

Trace n

Thread Thread 1 Thread 2 Thread 3 Thread 4

  • Computations on separate points completely independent (univariate)

Time Comparison (8 Threads):

  • 10M traces
  • 22500 sample points
  • 1st-5th order

Efficient Computation Parallelization

𝑢𝑜+1,0 𝑢𝑜+1,1 𝑢𝑜+1,2 𝑢𝑜+1,3 𝑢𝑜+1,4

Trace n+1

Method Time Memory 3-Pass 10.7 h 108.280 KB Raw 5.6 h 108.452 KB Our 5.9 h 108.592 KB

slide-43
SLIDE 43

43

Leakage Assessment Methodology | WISE 2015 | Tobias Schneider

  • Useful if measurement phase already completed
  • Need adjusted formulas for the central sums

Efficient Computation Parallelization

𝑢𝑜,0 𝑢𝑜,1 𝑢𝑜,2 𝑢𝑜,3 𝑢𝑜,4

Trace n

Thread

𝑢𝑜+1,0 𝑢𝑜+1,1 𝑢𝑜+1,2 𝑢𝑜+1,3 𝑢𝑜+1,4

Trace n+1

Thread 1

slide-44
SLIDE 44

44

Leakage Assessment Methodology | WISE 2015 | Tobias Schneider

  • Possible to combine both approaches for maximum performance

Efficient Computation Parallelization

𝑢𝑜,0 𝑢𝑜,1 𝑢𝑜,2 𝑢𝑜,3 𝑢𝑜,4

Trace n

Thread

𝑢𝑜+1,0 𝑢𝑜+1,1 𝑢𝑜+1,2 𝑢𝑜+1,3 𝑢𝑜+1,4

Trace n+1

Thread 1 Thread 2 Thread 3

Example:

  • 1st-5th order t-test
  • 100,000,000 traces (each with 3,000 sample points)
  • 9h on 2 x Intel Xeon X5670 CPUs @ 2.93 GHz (24 hyper-threading cores)
slide-45
SLIDE 45

45

Leakage Assessment Methodology | WISE 2015 | Tobias Schneider

Conclusion

slide-46
SLIDE 46

46

Leakage Assessment Methodology | WISE 2015 | Tobias Schneider

  • t-test is simple and fast
  • Some aspects need to be considered for correct testing
  • Measurement Phase
  • Analysis Phase
  • t-test for security evaluation has become popular

Conclusion

slide-47
SLIDE 47

47

Leakage Assessment Methodology | WISE 2015 | Tobias Schneider

Thanks for Listening!

Any Questions?